JP2006202180A - Access management program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To improve the efficiency of management of users using application service. <P>SOLUTION: A service provision system 10 is provided with a group user management system 30 including a management module 40 in addition to a service providing application 60. The management module 40 is provided with a user management part 42 for managing user information, a group management part 44 for managing groups to which users belong and an access right list processing part 46 for managing a function capable of setting access right to an application. An operator 100 allows respective users to belong to one or more groups and sets access right to an application in each group. Consequently the access right of each user to the application is managed based on the group to which the user belongs. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a technique for managing a user who uses an application service, and particularly to a technique for managing a user's access authority.

  A technique for providing application services such as a file sharing service (a service for sharing a file such as a document with other users) and an image processing service (a service for processing or printing image data) on a network is known. In an application service, user management is normally performed using authentication information for authenticating a user and access authority information for restricting a service that can be used by the user and a method for using the service. A user who wants to use the application service accesses the application service from a terminal device such as a PC (personal computer), an MFP (multifunction peripheral) having an image forming function, a scanner function, or the like, or a portable terminal through, for example, a Web browser. At this time, the authentication information is authenticated and an access right to this application service is given.

  Examples of the authentication method include password authentication, digital certificate, biometric authentication (biometric authentication), authentication combining these, and the like. The authentication method to be adopted is determined in consideration of, for example, high safety, ease of operation, introduction cost, and the like. The following Patent Documents 1 and 2 disclose technologies that allow a plurality of authentication methods to be selected for the convenience of the user.

  The following Patent Document 1 relates to a technique for providing an application service by performing user authentication based on biometric information after ensuring the security of authentication. Specifically, when there is a biometric authentication unit that receives information about a safety requirement level from an application for which a service request has been received, receives information about a biometric authentication unit that can be presented from a user, and satisfies the safety requirement level Only carry out user authentication.

  Japanese Patent Application Laid-Open No. 2004-228561 describes that an authentication method is registered in advance for each user in the image forming apparatus, and the user is authenticated using an available method.

  The following Patent Document 3 discloses a technique regarding a distributed system that controls access to network resources. Here, in a service called a directory service, access authority is centrally managed using attribute values of users and groups. Specifically, an access control object including a group object and a plurality of rule objects is prepared to control access to a management object as a network resource. The group object associates a user with a group, and the rule object associates a set of group objects and a set of management objects. As a result, the access right to the management object is given to the users belonging to the group associated with the access control object.

JP 2003-256376 A JP 2004-5408 A Japanese Patent Laid-Open No. 11-338839

  In providing application services to a plurality of users, it is desirable to efficiently manage these users. One way to do this is to manage users in groups. For example, the user can be managed according to the characteristics of the usage group by determining the authentication method and the security level of the authentication according to the usage environment and safety policy of the usage group. However, Patent Documents 1 and 2 do not mention or suggest a technique for managing users in groups. Further, in the above-mentioned Patent Document 3, a technique for managing users in groups is disclosed, but there is no mention of association with authentication method settings.

  An object of the present invention is to improve the efficiency of management of users who use application services.

  Another object of the present invention is to perform access right setting for an application service while at the same time improving both safety and efficiency in an environment in which a user who uses the application service is registered in a user group. .

  Note that, when a plurality of access authorities are set for a certain user, generally, all authorities are given by one authentication. However, in this case, even in operations that do not require advanced access rights, advanced access rights will be obtained, and serious administrative damage such as deleting important management files will cause serious damage to the system. There is a risk of bringing. In order to avoid this, there is a method in which the correspondence between the user and the access authority group is set on a one-to-one basis, and in order to use different access authorities, authentication is performed as different users. In this case, considering security safety, it is desirable not to clearly indicate the correspondence between the access authority and the user, but generally it is difficult to rely only on the user's memory, and the user notes the correspondence on paper, etc. Will cause security problems.

  Still another object of the present invention is to improve safety when a plurality of access authorities are given to a user.

  An access management program according to the present invention provides an application service to a computer system comprising registration means for registering a user in at least one of a plurality of user groups and service providing means for providing at least one application service to the user. Access right setting means for setting the access right for each user group, and access right giving means for authenticating the user and granting the access right set to at least one user group to which the user belongs.

  The computer system is a system including one or a plurality of computers, and includes a registration unit and a service providing unit. A user can usually access a computer system via a network. The registration means registers a user who uses the application service or this computer system in general in the user group. The user group is a unit for managing a plurality of users collectively, and can be created, for example, in association with real attributes of the user such as departments in the workplace, engaged projects, and positions. The service providing means provides an application service to the user. Examples of application services include services that hold and exchange data such as documents, image processing services that perform printing and processing based on image data, and the like.

  The access management program is installed in this computer system and causes the computer system to realize at least access right setting means and access right giving means. The access management program may be packaged together with a program that realizes registration means or service providing means. The access right setting means sets the access right for the user application service in units of user groups. The setting is performed based on user input or by acquiring information from another computer system. The access right granting unit performs user authentication, and grants the access right set to the corresponding user group based on the setting by the access right setting unit when the authentication is successful.

  According to this configuration, the access right to be given to the user can be set in units of user groups, so that user management can be facilitated while maintaining security safety. The application service requested by the user is likely to be determined depending on the actual attribute of the user. In particular, when user group setting corresponding to the actual attribute of the user is performed, the efficiency of user management is further improved.

  In one aspect of the access management program according to the present invention, the access right granting unit includes an authentication method setting unit that sets a plurality of authentication methods that can be used for user authentication for each user group, and a plurality of items that are set based on user selection. Authentication method selection means for selecting an authentication method to be actually used for authentication from the above authentication methods. As an authentication method set in the authentication method setting means, various methods such as password authentication, authentication using a certificate based on PKI, and biometric authentication can be adopted. Such an authentication method may be specifically set by user designation, or may be indirectly set by specifying a safety level by associating a safety level with an authentication method in advance, for example. Is possible. The authentication method selection unit determines an authentication method to be actually used from a plurality of authentication methods based on user selection. The determination of the authentication method based on the user selection may be performed at the time of authentication or may be performed in advance.

  In one aspect of the access management program of the present invention, the authentication method selection means presents the user with a plurality of authentication methods set in the user group to which the user belongs, and prompts the user selection. The presentation is performed through display display, voice, or the like. Further, prompting the user to select means that the user is asked to decide the authentication method, and for example, a process of causing the user to select a candidate displayed on the display is performed.

  In one aspect of the access management program of the present invention, at least one application service has a plurality of service functions, and the access right setting means can set an access right for each service function. When there are service functions common to a plurality of application services, they can be set together.

  In one aspect of the access management program of the present invention, the service providing unit provides a plurality of application services, and the access right setting unit and the access right granting unit collectively manage access rights to these application services. That is, a plurality of application services are centrally managed by one access right setting unit and access right giving unit. As a result, user management is simplified, and smooth operation can be performed when an application is added or deleted.

  In one aspect of the access management program of the present invention, the registration means registers the user in a plurality of user groups, and the access right granting means presents the user groups to which the user belongs, and based on the user selection. , Authenticate the user as belonging to any user group and grant the corresponding access rights. If a different access right is set for each user group, the user can acquire the access right by receiving authentication as belonging to a user group having a desired access right. When the access right is set according to the characteristics of the user group, the user can easily remember the corresponding access right from the user group. Therefore, even if the relationship between the access right and the user group is not explicitly shown, the user can accurately select the user group and obtain the desired access right. For this reason, the safety | security at the time of giving a some access right to a user improves.

  The computer system of the present invention includes a registration unit for registering a user in at least one of a plurality of user groups, a service providing unit for providing at least one application service to the user, and an access right to the application service for each user group. And an access right setting unit that authenticates a user and grants an access right set to at least one user group to which the user belongs.

  The computer according to the present invention is a computer used in a computer system including registration means for registering a user in at least one of a plurality of user groups and service providing means for providing at least one application service to the user. An access right setting unit that sets an access right to the application service in units of user groups, an access right granting unit that authenticates the user and grants an access right set to at least one user group to which the user belongs, Is provided.

  The access management method of the present invention is a method executed by a computer system comprising: registration means for registering a user in at least one of a plurality of user groups; and service providing means for providing at least one application service to the user. An access right setting step for setting an access right for the application service in a user group unit, and an access right granting step for authenticating the user and giving the access right set to at least one user group to which the user belongs. And including.

  FIG. 1 is a schematic diagram illustrating a functional configuration of a system according to the present embodiment. This system includes a service providing system 10, a network 70 connected to the service providing system 10, and a PC 80 and an MFP (multifunction machine having a copy function, a FAX function, etc.) 70 as terminal devices connected to the network 70. Is included.

  The service providing system 10 is a system provided for performing application services, and is configured using hardware such as a computer and a file server, and software for controlling the operation of the hardware. Specifically, the service providing system 10 includes a database 20, a group user management system 30, and an application 60.

  The database 20 is constructed using a storage device such as a file server, and stores necessary data as appropriate. The group user management system 30 is configured by installing software in a computing device such as a PC, and includes a management module 40, a management operation UI (user interface) 50, and an application interface 52 as internal modules. The management module 40 is a module that is the center of management, and includes the components of a user management unit 42, a group management unit 44, and an access right list processing unit 46. The user management unit 42 manages user information about the user to be used, the group management unit 44 manages group information of the group to which the user belongs, and the access right list processing unit 46 manages the access right to the application 60. ing. The management operation UI 50 is a user interface for operating the management module 40 and is operated by the operation operator 100. The application interface 52 is an interface for the application 60 to use the management module 40.

  The application 60 is a service group provided by the service providing system 10, and here, includes a text transmission / reception 62, a file sharing 64, and an XX application 66. The function of each service may be realized by different hardware, or may be realized by the same hardware. The hardware for realizing each service may be the same as or different from that of the group user management system 30.

  A WEB_Browser 82 is installed in the PC 80. The general user 110 can use each service of the application 60 by logging in to the service providing system 10 through the WEB_Browser 82. Similarly, the general user 110 can use each service of the application 60 through the WEB_Browser 92 installed in the MFP 90. The general user 110 holds a password (PWD) 112, a certificate 114 issued by a PKI certificate authority, biometric authentication information 116 using a fingerprint, and the like, and performs input when logging into the service providing system 10.

  Here, each information which the management module 40 manages is demonstrated using FIGS.

  FIG. 2 shows an example of the user information list 200 managed by the user management unit 42. The user information list 200 includes user information 210, 212,. . . Is included, and incidental information about each user is stored. This situation will be described in detail by taking user information 210 as an example.

  The user information 210 includes a user ID 220, a name 222, a user attribute 224, credit information 226, and a group ID list 228 as items for storing incidental information. The user ID 220 is a unique symbol assigned by the system at the time of generation to identify each user, and stores a value of “U-0123” here. In addition, in the name 222, “○ × Ichiro” which is the real name of this user is registered. The item of the user attribute 224 includes information such as the affiliation of the user, such as affiliation 240 (head office general affairs department), mail address 242 (marubatu@xx.jp), address 244 (〒 012 Tokyo...), Telephone number 246 (0120-91-233). The credit information 226 is data used for authentication. Each user can be assigned a plurality of pieces of trust information corresponding to a plurality of authentication methods. Here, a class 1 certificate 250 as a digital certificate based on PKI, fingerprint authentication information 252 as biometric information, and Password 254 is registered. The affiliation group ID list 228 stores information indicating the group to which the user belongs. A user can belong to a plurality of groups, and here, group IDs of GP0124, GP0131, and GP0132 are registered.

  FIG. 3 shows an example of the group information list 300 managed by the group management unit 44. In the group information list 300, group information 310, 312,. . . And the incidental information about each group is stored. This will be described in detail by taking the group information 310 as an example.

  The group information 310 includes a group ID 320, a group name 322, a group attribute 324, an access right list 326, and an authentication method 328 as items for storing incidental information. The group ID 320 is a unique symbol assigned by the system at the time of generation to identify each group, and stores a value of “GP0123” here. In the group name 322, “General Affairs Department Manager”, which is a name that characterizes users included in this group, is registered. The item of the group attribute 324 includes information such as contact information of this group, company name 340 (XX Co., Ltd.), department name 342 (Head Office General Affairs Department), representative 344 (General Affairs Department Ichiro), mail address 346 (marubatu @ xx.jp), an address 348 (〒 012 Tokyo...), and a telephone number 350 (0120-91-233).

  The access right list 326 includes two items, a file sharing application 360 and a document transmission / reception application 370, which are application names that can be used by users belonging to this group. The file sharing application 360 is an application for sharing a file among a plurality of users, and the document transmission / reception application 370 is an application for transmitting a document to another user or receiving a document from another user. In the access right list 326, functions that can actually be used by this application are registered. That is, the users belonging to this group include the group shared file update 362, group shared file reference 364, and folder update 366 functions in the file sharing application 360, the transmission setting update 372 in the document transmission / reception application 370, and the transmission destination table. The access right to the function of the update 374 can be acquired. In the item of the authentication method 328, an authentication method name that can be used for authentication of users belonging to this group is registered. Here, the methods of class 1 certificate 380 and fingerprint authentication 382 are registered. That is, when a user uses an application as a member of this group, the user must be authenticated by the class 1 certificate 380 or fingerprint authentication 382 method.

  A plurality of users can be registered for each set group. This user registration is performed by registering this group ID in the corresponding user information in the user information list 200 shown in FIG.

  FIG. 4 shows an example of the access right list 400 managed by the access right list processing unit 46. In the system, a copy of the list can be used as necessary. In this case, the access right list 400 managed by the access right list processing unit 46 is a list (master) to be trusted as a copy source. An access right for each application is defined in the access right list 400. Here, the file sharing application 410, the document transmission / reception application 412, the confidential document management application 414,. . . Items are provided. These include application function lists 420, 422, 424,. . . Is provided. Application function list 420, 422, 424,. . . Is registered with a function identifier. The function identifier defines a function provided in the corresponding application, and also defines a setting unit of access rights for these applications.

  For example, the application function list 420 of the file sharing application 410 includes a group shared file reference 430, a group shared file update 432, a user personal file reference 434, a user personal file update 436, a folder list 438, and a folder update. Each function identifier of 440 is registered, and the access right can be set. The application function list 422 of the document transmission / reception application 412 includes a reception folder reference 450, a document transmission 452, a document reception 454, a transmission destination table reference 456, a transmission destination table update 458, and a transmission setting update 460. Function identifier is registered.

  The operation operator (administrator) 100 illustrated in FIG. 1 can operate the user information list 200, the group information list 300, and the access right list 400 described above via the management operation UI 50. Examples of operations include user creation, deletion and attribute modification, group creation, deletion and attribute modification, user registration and deregistration to groups, group access rights setting and modification, and group authentication methods. Setting etc. can be mentioned.

  The application interface 52 plays a role of allowing the application 60 to use the user information list 200, the group information list 300, and the access right list 400. That is, each application belonging to the application 60 can refer to the group to which the user belongs, refer to the authentication method permitted by the group, authenticate the user based on the credit information, and the like.

  Accordingly, each application belonging to the application 60 performs processing using the user information list 200, the group information list 300, and the access right list 400 when the user requests access to any of the applications, for example. be able to. Specifically, a process for presenting and selecting an available group to the user, a process for presenting an authentication method that can be used in the selected group to the user, and authentication information based on the user ID and the specified authentication method are input. Authentication processing when the authentication is successful, processing for limiting the user's operation by acquiring the access right corresponding to the case where the authentication is successful, and the like can be performed.

  Next, the setting procedure of the service providing system 10 will be described with reference to FIG. FIG. 5 is a flowchart illustrating a process in which setting is performed based on an instruction from the operation operator 100 in the service providing system 10 illustrated in FIG.

  When an application is newly added or changed (S10), the operation operator operates the management operation UI to correct the access right list. That is, registration and change of an application identifier and registration or change of a function identifier for the application function list are performed (S12). For example, when registering a file sharing application, its application name as an identifier and group shared file reference as a function identifier, group shared file update, folder list, folder update, user personal file reference, Register items such as updating user personal files.

  The operation operator creates a group as required (S14). A group name is given to a group at the time of creation, and a group ID automatically assigned for identification by the system is assigned. In addition, organizations to which real-world users belong are registered as group attributes. Further, an access right list is provided for the group (S16), the applications that can be used in the group and their function identifiers are set, and usable authentication methods are also set.

  The operation operator registers a user as necessary. Registration is performed by providing the user information in the user information list. In registration, a uniquely identifiable user ID is assigned, and attributes such as a name and a affiliation can be input and stored.

  For the user, group registration is performed as required (S18). Registration is performed by registering the group ID of the group to which the user wants to belong to the item of the user in the user information list. Users who already belong to one group can belong to another group.

  The operation operator can change the group settings as necessary. The change is made with respect to, for example, a group name, a group attribute, an access right list, an authentication method, and the like. In addition, the operation operator can delete a group or cancel a user's group registration.

  Next, the use procedure of the service providing system 10 will be described with reference to FIG. FIG. 6 is a flowchart illustrating a process in which a user uses an application through the WEB_Browser with respect to the service providing system 10 illustrated in FIG.

  The user who intends to use the application accesses the application from the WEB_Browser of the terminal device and displays the use start screen (S50). When receiving the use start request, the application acquires a group list in which the access right to the application is set from the group user management system via the application interface (S52). Then, the application displays a list of available groups on the use start screen (S54). At this time, the authentication method assigned to the group is also displayed as accompanying information.

  The user selects the authentication method of the group he / she wants to use and inputs the authentication information and the like (S56). The application operates the management operation UI to correct the access right list. In the application, it is determined whether or not a user ID, a group ID, and authentication information have been input (S58). If no input is performed, processing such as waiting for input or displaying an error after a certain time has elapsed is performed. On the other hand, when input is performed, authentication is requested to the group user management system through the application system. The group user management system compares the input user ID, group ID, and authentication information with the managed user ID, group ID, and credit information (S60), and returns the result to the application. In the application, it is evaluated whether or not the authentication is successful (S62). If the authentication is unsuccessful, the user is notified that the application cannot be used, and the process is terminated. On the other hand, if the authentication is successful, the user is permitted to log in. The application acquires information about the access right given to the group used for authentication from the group user management system through the application interface (S64). Then, the application displays the acquired access right information on the terminal device (S66). The user can use the application based on the granted access right (S68).

  Here, how the user logs in to the application from WEB_Browser will be described with reference to FIGS.

  FIG. 7 is a diagram showing a use start screen (login screen) 500 for the file sharing application. On the screen, a group setting field 502 for setting a group used for login is provided. The group setting column includes a tab 504 for displaying candidates, a candidate display column 506 for displaying a plurality of group names when the tab 504 is clicked, and a group in which the group name selected in the candidate display column 506 is displayed. A determination column 508 is provided. In the illustrated example, the candidate display field 506 displays the group names of “cooperating company”, “general employee”, “document management G”, and “confidential G”. In response to the selection of “document management G”, “document management G” is displayed in the group determination column 508.

  On the screen, there is further provided an authentication method display field 510 for displaying an authentication method accepted by the group displayed in the group determination field 508. In the illustrated example, “employee certificate” and “common account password” recognized in “document management G” are displayed. The user determines a group while referring to the authentication method displayed here, and clicks an authentication execution button 512. As a result, login under the determined group is performed.

  FIG. 8 is a flowchart showing an operation procedure on the use start screen 500 shown in FIG. When the user logs in to the file sharing application from WEB_Browser, the usage start screen shown in FIG. 7 is displayed from the file sharing application. Then, when the user clicks on the tab 504, a group having access authority in this file sharing application is displayed in a list in the candidate display field 506 (S80). The user clicks the displayed candidate to select a group used for login (S82). At this time, the authentication method accepted by the selected group is displayed in the authentication method display field 510 (S84). When the user confirms this authentication method and determines that it is appropriate, the user clicks an authentication execution button 512. As a result, the screen display is switched to an authentication stage for inputting authentication information (S86).

  As described above, even when the same application is used, when a mechanism for selecting a group used for login from a plurality of groups is provided, an advantage not found in the past can be obtained.

  For example, conventionally, the authentication method is not set for each group, and different authentication methods cannot be adopted for each group. Therefore, when a user tries to log in under a different group instead of a certain group, an input with different authentication information (for example, password input with a different value) is usually required in the same authentication method. For this reason, users belonging to a plurality of groups are required to store a plurality of similar authentication information. In this case, providing a mechanism for assisting the user's memory is not preferable from the viewpoint of confidentiality because authentication information must be suggested.

  On the other hand, in the above-described aspect, for example, an aspect in which the authentication method is changed for each group (for example, a password and a certificate) can be taken. In this case, by clearly indicating an authentication method that can be used for the user at the time of login, the user's memory can be assisted, and the security of the authentication information is not impaired.

  Also, it is effective to clearly specify an authentication method that can be used for the user at the time of login in order to prevent confusion of the user in a system in which the setting is frequently changed. Usually, the setting of the access right for the group is set by the administrator independently of the application. For this reason, general users tend to have difficulty grasping setting changes. However, as described above, the application can always provide the latest information to the user by inquiring the group user management module for the latest setting when logging in.

  Furthermore, when the above-described aspect is adopted, the configuration of the application can be simplified. In other words, since the group user management system manages the authentication method associated with the group, it is not necessary for each application to manage the authentication management correspondence required for each group. This is a preferable mode from the viewpoint of software design and from the viewpoint of setting work by the administrator.

It is the schematic which shows the system configuration example which concerns on this Embodiment. It is a figure which shows the example of a user information list. It is a figure which shows the example of a group information list. It is a figure which shows the example of an access right list. It is a flowchart which shows the setting procedure of a service provision system. It is a flowchart which shows the utilization procedure of a service provision system. It is a schematic diagram which shows the example of a utilization start screen. It is a flowchart which shows the operation | movement procedure which concerns on a use start screen.

Explanation of symbols

  10 service providing system, 20 database, 30 group user management system, 40 management module, 42 user management unit, 44 group management unit, 46 access right list processing unit, 50 management operation UI, 52 application interface, 60 application, 62 text transmission / reception , 64 File sharing, 66 XX application, 70 network, 100 operator, 110 general user, 114 certificate, 116 biometric information, 200 user information list, 300 group information list, 400 access right list, 500 use start screen, 502 Group setting column, 504 tab, 506 candidate display column, 508 group determination column, 510 authentication method display column, 512 authentication execution button.

Claims (9)

A computer system comprising: registration means for registering a user in at least one of a plurality of user groups; and service providing means for providing at least one application service to the user.
Access right setting means for setting access rights to application services in units of user groups;
Access right granting means for authenticating a user and granting an access right set to at least one user group to which the user belongs;
An access management program characterized by comprising: The access management program according to claim 1,
The access right granting means includes an authentication method setting means for setting a plurality of authentication methods that can be used for user authentication for each user group, and
An authentication method selection means for selecting an authentication method to be actually used for authentication from a plurality of set authentication methods based on user selection;
An access management program comprising: The access management program according to claim 2,
An access management program characterized in that, in the authentication method selection means, a plurality of authentication methods set in a user group to which a user belongs is presented to the user and the user selection is prompted. The access management program according to claim 1,
At least one application service has multiple service functions,
An access management program characterized in that, in the access right setting means, an access right can be set for each service function. The access management program according to claim 1,
The service providing means provides a plurality of application services,
An access management program, wherein the access right setting means and the access right granting means collectively manage access rights to these application services. The access management program according to claim 1,
The registration means registers the user in a plurality of user groups,
The access right granting unit presents a plurality of user groups to which the user belongs, authenticates the user as belonging to any one of the user groups, and grants a corresponding access right based on the user selection. Access control program. Registration means for registering a user in at least one of a plurality of user groups;
Service providing means for providing at least one application service to a user;
Access right setting means for setting access rights to application services in units of user groups;
Access right granting means for authenticating a user and granting an access right set to at least one user group to which the user belongs;
A computer system comprising: A computer used in a computer system comprising: registration means for registering a user in at least one of a plurality of user groups; and service providing means for providing at least one application service to the user,
Access right setting means for setting access rights to application services in units of user groups;
Access right granting means for authenticating a user and granting an access right set to at least one user group to which the user belongs;
A computer comprising: A method executed by a computer system comprising: registration means for registering a user in at least one of a plurality of user groups; and service providing means for providing at least one application service to the user,
An access right setting step for setting an access right to the application service in units of user groups;
An access right granting step for authenticating a user and granting an access right set to at least one user group to which the user belongs;
An access management method comprising:

Images